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ABSTRACT 



An access control system (a firewall) controls traffic to and 
from a local network. The system is implemented on a 
dedicated network device such as a router positioned 
between a local network and an external network, usually 
the Internet, or between one or more local networks. In this 
procedure, access control items are dynamically generated 
and removed based upon the context of an application 
conversation. Specifically, the system dynamically allocates 
channels through the firewall based upon its knowledge of 
the type of applications and protocol (context) employed in 
the conversation involving a node on the local network. 
Further, the system may selectively examine packet pay- 
loads to determine when new channels are about to be 
opened. In one example, the firewall employs different rules 
for handling SMTP (e-mail using a single channel having a 
well-known port number) sessions, FTP sessions (file trans- 
fer using a single control channel having a well known port 
number and using one or more data channels having arbi- 
trary port numbers), and H.323 (video conferencing using 
multiple control channels and multiple data channels, which 
use arbitrary port numbers) sessions. 

37 Claims, 11 Drawing Sheets 
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ACCESS CONTROL FOR NETWORKS 
BACKGROUND OF THE INVENTION 

This invention relates to network firewalls for controlling 
external access to a particular local network. More 
particularly, the invention relates to network firewalls hav- 
ing dynamic access control lists. 

Firewalls were developed lo protect networks from unau- 
thorized accesses. Hackers, corporate spies, political spies, 
and others may attempt to penetrate a network to obtain 
sensitive information or disrupt the functioning of the net- 
work. To guard against these dangers, firewalls inspect 
packets and sessions to determine if they should be trans- 
mitted or dropped. In effect, firewalls have become a single 
point of network access where traffic can be analyzed and 
controlled according to parameters such as application, 
address, and user, for both incoming traffic from remote 
users and outgoing traffic to the Internet. 

Firewalls most commonly exist at points where private 
networks meet public ones, such as a corporate Internet 
access point. However, firewalls can also be appropriate 
within an organization's network, to protect sensitive 
resources such as engineering workgroup servers or finan- 
cial databases from unauthorized users. 

Firewalls protect by a variety of mechanisms. Generally, 
state -of-the art firewall technology is described in "Building 
Internet Firewalls'" by D. Brent Chapman and Elizabeth D. 
Zwicky, O'Reilly and Associates, Inc. which is incorporated 
herein by reference for all purposes. 

One firewall mechanism involves "packet filtering." A 
packet filtering firewall employs a list of permissible packet 
types from external sources. This list typically includes 
information that may be checked in a packet header. The 
firewall checks each inbound packet to determine whether it 
meets any of the listed criteria for an admissible inbound 
packet. If it does not meet these criteria, the firewall rejects 
it. A similar mechanism may be provided for outbound 
packets. 

Often, the firewall maintains the access criteria as an 
access control list or "ACL." This list may contain network 
and transport layer information such as addresses and ports 
for acceptable sources and destination pairs. The firewall 
checks packet headers for source and destination addresses 
and source and destination ports, if necessary, to determine 
whether the information conforms with any ACL items. 
From this, it decides which packets should be forwarded and 
which should be dropped. For example, one can block all 
User Datagram Protocol ("UDP") packets from a specific 
source IP address or address range. Some extended access 
lists can also examine transport-layer information to deter- 
mine whether to forward or block packets. 

While packet filtering is a very fast firewall technology, it 
is not, unfortunately, very good at handling protocols that 
create multiple channels or do not necessarily employ well- 
known port numbers. A channel is typically defined by a 
source address, a destination address, a source port number, 
and a destination port number. In Transport Control Protocol 
("TCP"), a channel is referred to as a connection. For some 
protocols, such as SMTP (electronic mail), only a single 
well-known destination port is used. Conversations involv- 
ing these protocols involve only a single channel. For such 
cases, the packet filtering mechanism will include an ACL 
item defining allowed accesses using the well-known port 
number. Because this well-known port number never 
changes, the ACL item can be set initially and left 
unchanged during the life of the firewall. Other protocols do 
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not necessarily use well-known port numbers. In these cases, 
the port number is assigned dynamically. That is, for each 
new session a different port number may be assigned. 
Obviously, in these cases, a static packet filtering mecha- 
nism must either block all use of this protocol or allow all 
use, regardless of port number. This represents a significant 
limitation of standard packet filtering mechanisms. 

In addition to single channel protocols, a variety of 
multi-channel protocols are known and others are being 
developed. For example, the File Transfer Protocol ("FTP") 
sets up a control channel using a well-known port and a data 
channel using a variable port number. The control channel is 
used to initiate the FTP connection between the clients and 
a server. Via this control channel, the client and server 
negotiate a port number for a data channel. Once this data 
channel is established, the file to be retrieved is transmitted 
from the server to the client over the data channel. Other 
newer protocols such as the H.323 protocol used for video 
conferencing employ multiple control channels and multiple 
data channels such as channels for transmission of audio 
information and channels for transmission of video infor- 
mation. The port numbers for these data channels can not be 
known ahead of time. Static packet filtering mechanisms 
have difficulty handling FTP and most multi-channel pro- 
tocols. 

Another approach to firewall designs is employed in a 
"Stateful Inspection" firewall provided by Check Point 
Software Technology Ltd. In this approach, the firewall 
inspects not only the packet header but also the packet 
pay load. This allows for the possibility of identifying chan- 
nels in which the port number or numbers are set by the 
communicating nodes during a conversation. Specifically, 
the port numbers of channels about to be opened may be 
specified in the pay load or payloads of packets transmitted 
over a control channel for a conversation. By inspecting 
packet payloads in a control channel, the firewall can open 
a temporary channel corresponding to the port numbers 
agreed upon by the nodes establishing the session. When the 
session is terminated, the firewall can reseal the channel 
associated with those port numbers. 

Unfortunately, the firewall implemented by Check Point 
resides on a PC or a workstation host. Such host must be 
positioned at the interface of a local network and an external 
network. Typically, it must be used in conjunction with a 
router. This configuration limits the flexibility and efficiency 
of the firewall. 

For the above and other reasons, it would be desirable to 
have an improved firewall design. 

SUMMARY OF THE INVENTION 

The present invention addresses this need by providing an 
access control system and method for controlling traffic to 
and from a local network. The system and procedures of this 
invention are preferably implemented on a dedicated net- 
work device such as a router positioned between a local 
network and an external network, e.g., the Internet, or 
between one or more local networks. In this procedure, 
access control items are dynamically generated and removed 
based upon the context of an application conversation. 
Specifically, the procedures of this invention may dynami- 
cally allocate channels through the firewall based upon its 
knowledge of the type of application and protocol (context) 
employed in the conversation involving a node on the local 
network. Further, the procedure may selectively examine 
packet payloads to determine when new channels are about 
to be opened. In one example, the system employs different 
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rules for handling SMTP (e-mail using a single channel The memory may be configured to store the access control 

having a well-known port number) sessions, FTP sessions criteria in the form of an access control list. It may also be 

(file transfer using a single control channel having a well configured to store state information such as the state of at 

known port number and using one or more data channels i cas t one of a TCP session and a UDP session. It may further 

having arbitrary port numbers), and H.323 (video confer- $ be configured with information specifying the context of an 

encing using multiple control channels and multiple data application conversation indicating whether a side channel 

channels, which use arbitrary port numbers) sessions. may be opene d for the application. 

One aspect of the invention pertains to methods of lim- ^ ssor be configured to examine packet 

lUng access to a local network. Tlie methods may be ^ information in the memory indicates 

characterized by the following sequence: (^ receiving a 30 P J y 

packet; (b) identifying an application associated with the luai tt • * . j • n _•*.£> 4U 

packet; (c determining whether the packet possesses a P rocessor , mav f iate fP s to dynamically modify the 

predefined source or destination address or port; (d) deter- access contro1 cntena when a new Slde channel °P ens " 

mining whether the packet meets criteria for a current state These and other features and advantages of the present 

of a TCP or UDP session with which it is associated; (e) invention will be presented in more detail below with 

determining whether to examine the payload of the packet; 15 reference to the associated drawings, 
and (f) examining the packet payload. The method may also 

include various other operations such as determining BRIEF DESCRIPTION OF THE DRAWINGS 

whether the packet sequence number falls within a defined illustrating how a firewall of this 

sequence window and determining whether the packet has u • . * j ■ » i 

been revived after a predetermined timeout period has 20 invenuon may be integrated in a network. 

elapsed. PIG. 2 is a block diagram of a router that may be used in 

The process of determining whether the packet meets this invention, 

criteria for a current state may involve determining whether FIG. 3 is a block diagram of a computer architecture that 

any state transition associated with a TCP or UDP session may be employed with this invention, 

follows an expected sequence of state transitions (e.g., a 25 FIGS. 4-8 are flow charts depicting a preferred method by 

TCP FIN packet is received after a session is open) The wfaich ^ firewalls of this i nven Uon may protect a local 

process of determining whether to examine the payload may ne t WO rk 

involve determining whether the payload may contain an * 

intrusion signature. In a specific embodiment, that involves FIG. 9 is diagram of a State Information Structure (a data 

determining whether the packet is an FTP packet, an RPC, 30 structure) used in a preferred implementation of this inven- 

a TFTP packet, or a SMTP packet. If the system identifies an tion - 

intrusion signature in the packet payload of such packet, it FIGS. 10A-10C depict an FTP session using a firewall/ 
will drop the packet. The process of determining whether to router in accordance with an embodiment of this invention, 
examine the payload may also involve determining whether DESCRIPTION OF THE 
an additional channel of unknown port number may be 35 p^RRED EMBODIMENi? 
opened (e.g., the connection is an FTP control channel or an PREFERRED EMBOD1MEN lb 
H.323 channel when less than all data channels have been x System Structure and Architecture 
opened). Assuming that the system determines that an addi- 
tional channel could be opened, it examines the packet FIG. 1 illustrates a general arrangement by which a local 
payload to identify a port negotiation command. If such port 40 network allows its hosts (e.g., a host 6) to communicate with 
negotiation command is detected, the system may dynami- external nodes located on an external network 8 such as the 
cally modify an access control list to create a path for the Internet. Typically local network 4 is connected to external 
additional channel. network 8 via a router 10 which routes packets between 

The system may also detect when a packet initiates a new external network 8 and local network 4. 

session (e.g., it is a TCP SYN packet). When this occurs, the 45 In this invention, router 10 may also double as a firewall 

method may involve (i) creating a state entry (e.g., a data that protects local network 4 from potentially dangerous 

structure) for the new session; and (ii) creating one or more accesses from external network 8. When acting as a firewall, 

access control items allowing passage of packets from a a router 10 will, under certain circumstances, allow host 6 to 

node identified in the packet initiating the new session. initiate a conversation with an external node 12 that is 

Another aspect of the invention pertains to network so connected to external network 8. If router/firewall 10 allows 

devices such as routers which may be characterized by the host 6 to initiate such a conversation, it must also allow 

following features: (a) two or more interfaces configured to appropriate return communications from node 12 to host 6. 

connect with distinct networks or network segments; (b) a Details of how router/firewall 10 allows such conversations 

memory or memories configured to store (i) one or more and yet protects the local network will be detailed below, m 

access control criteria for allowing or disallowing a packet 55 one embodiment. 

based upon header information and (ii) information speci- Generally, a firewall of this invention may be specially 

fying the content of an application conversation; and (c) a constructed for the required purposes, or it may be a 

processor configured to compare packet header information general-purpose programmable machine selectively acti- 

with the access control criteria and determine whether to vated or reconfigured by a computer program stored in 

examine packet payloads based upon the context of the 60 memory. The processes presented herein are not inherently 

application conversation. The network device may include related to any particular router or other network apparatus, 

an operating system which controls the network device to Preferably, the invention is implemented on a network 

perform functions necessary to control access to the local device designed to handle network traffic. Such network 

network and route network traffic. To facilitate rapid pro- devices typically have multiple network interfaces including 

cessing of packets, the network device may include at least 65 frame relay and ISDN interfaces, for example. Specific 

two processors, at least one of which is associated with one examples of such network devices include routers and 

of the interfaces. switches. For example, the firewalls of this invention may be 
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specially configured routers such as specially configured Regardless of network device's configuration, it may 
router models 1600, 2500, 2600, 3600, 4500, 4700, 7200, employ one or more memories or memory modules 
and 7500 available from Cisco Systems, Inc. of San Jose, (including memory 261) configured to store program 
Calif. A general architecture for some of these machines will instructions for the network operations and access control 
appear from the description given below. In an alternative $ functions described herein. The program instructions may 
embodiment, the firewall may be implemented on a general- specify an operating system and one or more applications, 
purpose network host machine such as a personal computer for example. Such memory or memories may also be Con- 
or workstation. Further, the invention may be at least par- figured to store access control criteria (e.g., an ACL), state 
tially implemented on a card (e.g., an interface card) for a information (specifying the context of a network session for 
network device or a general-purpose computing device. example), etc. 

Referring now to FIG. 2, a router 210 suitable for imple- Because such information and program instructions may 

menting the present invention includes a master central be employed to implement the access control systems/ 

processing unit (CPU) 262, low and medium speed inter- methods described herein, the present invention relates to 

faces 268, and high-speed interfaces 212. When acting under machine readable media that include program instructions, 

the control of appropriate software or firmware, the CPU state information, etc. for performing various operations 

262 is responsible for such router tasks as routing table 15 described herein. Examples of machine-readable media 

computations and network management. It is also respon- include, but are not limited to, magnetic media such as hard 

sible for creating and updating an Access Control List, disks, floppy disks, and magnetic tape; optical media such as 

comparing incoming packets with the current Access Con- CD-ROM disks; magneto-optical media such as floptical 

trol List, generating State Information Structures, inspecting disks; and hardware devices that are specially configured to 

packet headers and payloads as necessary, enforcing the 20 S ( 0rc m $ perform program instructions, such as read-only 

state of a session, etc. It preferably accomplishes all these memory devices (ROM) and random access memory 

functions under the control of software including an oper- (RAM). Examples of program instructions include both 

ating system (e.g., the Internet Operating System (IOS®) of mac hine code, such as produced by a compiler, and files 

Cisco Systems, Inc.) and any appropriate applications soft- containing higher level code that may be executed by the 

ware. CPU 262 may include one or more microprocessor 25 uter an interpreter. 

chips 263 such as > the Motorola MPC860 ™™P™™£ f routef 0f othef netWQrk 

the Motorola 68030 microprocessor, or other available t . ^ M . J . , & 4 „ „ . , ... 

chips. In a preferred embodiment, a memory 261 (such as 301 * at ™plancnt a firewall in accordance with 

non- volatile RAM and/or ROM) also forms part of CPU th * invention. As shown network device 301 includes 

262. However, there are many different ways in which „ various Presses and paths that form part of an operating 

memory could be coupled to the system. svste m for the network device. These may include configu- 

The interfaces 212 and 268 are typically provided as ration processes 303, timer processes 305, IP processes 307, 

interface cards (sometimes referred to as "line cards"). and interrupt paths 309. IP processes 307 and interrupts 309 

Generally, they control the sending and receipt of data are provided for routine packet handling functions as lllus- 

packets over the network and sometimes support other trated in the figure. In addition to these processes and paths, 

peripherals used with the router 210. The low and medium 35 network device 301 includes firewall code 311 for executing 

speed interfaces 268 include a multiport communications firewall functions in response to requests from processes 

interface 252, a serial communications interface 254, and a 303, 305, and 307 and interrupts 309. In a preferred 

token ring interface 256. The high-speed interfaces 212 embodiment, firewall code 311 may include both an engine 

include an FDDI interface 224 and a multiport ethernet that handles transport layer functions and various inspection 

interface 226. Preferably, each of these interfaces (low/ «o modules, each of which is dedicated to handling a specific 

medium and high-speed) includes (1) a plurality of ports application protocol (e.g., FTP, H.323, etc.). In a further 

appropriate for communication with the appropriate media, preferred embodiment, firewall code 311 is integrated with 

and (2) an independent processor such as the 2901 bit slice lhe remainder of the network device's operating system, 

processor (available from Advanced Micro Devices corpo- pirewall cQde 3U make ^ of varkms ^ daU 

rat i n °pam £ T iVn! ^trT.S 45 "res, and other stored information (collectively indi- 

volatde RAM. The independent processors control such reference numeral 313 in FIG. 3). Examples 

communications intensive tasks as packet switching, media . y i- . -r *• * ^ 

control and management. By providing separate processors '° clud != ac ? e f c ° Q ( trol llsts > s,ate ^maUon a™*"" 

for the communications intensive tasks, this architecture (desenbed below), timers, and various luto. 

permits the master microprocessor 262 to efficiently perform 50 Re 6 ardin 8 the operating system, it may require execution 

routing computations, network diagnostics, security of 311 und « vanous circumstances associated with 

functions etc packet processing. In one example, configuration processes 

The low and medium speed interfaces are coupled to the 303 ^ify that the FTP protocol is to be inspected. Thus 

master CPU 262 through a data, control, and address bus pro^s 303 may ask code 311 to configure an access 

265. High-speed interfaces 212 are connected to the bus 265 ss contro1 hst J° "B°w imtution of an FTP session Timer 

through a fast data, control, and address bus 215 which is in P r ° cess f 305 mav to code 311 th , at a P ar , , 1 lcular 

turn connected to a bus controller 222. The bus controller s^sion has timed out. In ttas case me firewaU c^de 311 may 

functions are provided by a processor such as a 2901 bit slice dele te any state information structure for that sessum as well 

r J r as the associated ACL items. Still further IP processes 307 

processor. interrupts 309 may call firewall code 311 during the 

Although the system shown in FIG. 2 is a preferred router 60 r r . i «. j. • .u~*u» *. JvL~.„ 

r , ^ j .... \, % . course of processing a packet to determine whether it meets 

of the present invention, it is by no means the only router . A }-» » j ♦ ■ u *u-, :»«. 

, . v .... t. • i certain ACL items or to determine whether its payload 

architecture on which the present invention can be imple- , . . . , 

, _ . r . . 4 , . . . r should be inspected, 

mented. For example, an architecture having a single pro- r 

cessor that handles communications as well as routing 2. Firewall Process 

computations, etc. would also be acceptable. Further, other 65 Overview 

types of interfaces and media could also be used with the Network communications at high levels, such as at the 

router. application layer, may be referred to as "conversations." An 
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"application conversation" may have one or many "chan- data traffic. It is impossible to predict which ports these 

nels" (also referred to as "sessions" or "socket pairs" ). applications may use in a given connection, and some of 

These terms were chosen to cover at least TCP and UDP them may use multiple channels over several ports. Thus, 

communications. In TCP, each channel represents a separate depending upon the type of application conversation, the 

"connection." In UDP, which is connectionless, each chan- 5 firewall may also monitor the payloads of the packets it 

nel is defined by a unique combination of source and t0 P 3 ^- This ma y be me when > for example, a 

destination IP addresses and port numbers. All UDP packets control channel connection is in a state m which ports for 

received within a defined timeout period and having the additional channels are negotiated over a control channel 

same unique combination of addresses and port numbers are ^ a lo> T s '"f™ 11 . t0 „ detenmne , wblc * addiUonal 

j , , , . . . u 1 „ channels should be dynamically opened to the firewall, 

deemed to belong to the same session or channel. 10 0 .„ A n i* 

. & • i , , i Secunty Access Policy 

An application conversation may mcludeonly asmgle m admmi / trator or other aut horized person may 

well-known channel as m the case of SMTP, HTTP, and create a « security access policy » for ^ firewalI ^ pur _ 

Telnet or it may contain many channels as in the case of pose of mis policy ^ to generally define now to protect tne 

certain multimedia applications (e.g., H.323 and local network< often the policy will protect the network 

RealAudio). Still other application conversations may have is f rom au - uninvited sessions initiated externally. In such 

variable numbers of channels as in the case of FTPandTFTP cases> tne po bcy may specify which local nodes may par- 

which create a new data channel each time a different file is ticipate in conversations outside the local network and the 

transferred from server to client. The present invention protocols under which those conversations may take place, 

handles all of these situations. In addition, the security access policy may specify particular 

Like packet filtering, the access control of this invention 20 times when access will be permitted to particular users 

examines network and transport-layer information. In operating under particular protocols. For example, it may be 

addition, it examines application layer protocol information desirable to provide a security access policy in which certain 

(such as FTP) to leant about and inspect the state of TCP or users cannot communicate outside the local network during 

UDP sessions. This mechanism dynamically creates and nonbusiness hours. 

deletes temporary openings in the firewall by temporarily 25 A «curily access policy typically will specify that few if 

modifying access lists to change packet filtering criteria. ™V uninvited packets from outside the local network are 

Preferably, the dynamically created access control list items Permitted to enter. Then when a local node initiates a 

* Ja • ™ ™ ;„ iu~ conversation with an external node, the firewall must antici- 

are stored in memory in the network device s network 4 tt _ 4 t , . ' , , , . , , 

. # - i n . .. t . . . . , pate that packets in response will be addressed to the local 

mterface.Afirewallo^ ^ ft ^ ^ * ^ its ACL to inc]ude items 

information in its own data stmc ures referred to herein as 30 alk)wi of certain packets having the external 

State Information Structures or "SISs") and use that infor- node's address 

mation to create the temporary entries (by dynamically while a typical secur i ty access poucy w fu a Q 0W no 
modifying its ACL, for example). Thus, a firewall may retain uninvited packets from external sources, some policies may 
state information that is not retained in the access list entries. a n ow limited conversations initiated by external 
A firewall may inspect each packet within a data flow to 35 nodes. Such policies may place restrictions on the protocols 
ensure that the state of the session and packets themselves that could be used by any external nodes initiating a con- 
meet the criteria established by a user's security policy. State versation. 

information is used to make intelligent permit/deny deci- Various combinations of matching (or not matching) 

sions. When a session closes, its temporary ACL entry is packet header fields can be used to support a policy, 

deleted, and the opening in the firewall is closed. 40 Examples of specific fields that may be examined include IP 

A firewall may monitor each application on a per- destination address, IP source address, IP protocol field, TCP 

connection basis for comprehensive traffic control capabil- source port, TCP destination port, TCP flags field, SYN 

ity. The firewall watches application sessions, notes the ports alone for a request to open a connection, SYN/ACK for a 

each session is using and opens the appropriate channels for connection confirmation, ACKfor a session in progress, and 

the duration of the session, closing them when the session is 45 FIN for session termination. All or some of that information 

finished. Specifically, when a newly authorized session is may be compared against an ACL and/or used by the firewall 

registered, the system may create a new SIS and any new engine to determine whether the packet is appropriate given 

ACL items for the session. Thereafter, packets transmitted to the current state of the session. 

and from the hosts involved in the connection are allowed to In a specific example, an access control list item may 

pass back and forth across the firewall so as long as the ACL 50 specify the addresses of the communicating hosts (or the 

items allow a transmission. sub -networks of one or both of these hosts) and the protocol 

The firewalls of this invention preferably consider the under which they communicate (identified by a port number 

TCP or UDP session state. In fact, a firewall may base for example). More specifically, for example, if the security 

decisions on the state of its sessions. To do so, it may access policy prevents SMTP sessions initiated from IP host 

maintain a record of the state of each connection going 55 1.1.1.1. with a destination address 2.2.2.2. then the packet 

through. Also, the firewalls preferably keep track of items filter would discard packets that have IP destination 

such as: how long was the last transmitted packet in this address=2.2.2.2., IP source address=l. 1.1.1., IP protocol=6 

session, are the sequence/acknowledgment numbers climb- (for TCP), and Destination port=25 (for SMTP). Such cri- 

ing as expected, was the session initiated from the inside or teria may represent static Access Control List items, 

outside, is the session still open or has it been closed, and 60 The access policy may also restrict a given interface on 

what port or ports are the return data channels using? the router or other network device implementing the firewall 

The firewalls of this invention may enable a firewall to of this invention. The interface may specify a particular type 
support protocols that involve multiple data channels created of media such as FDDI, Ethernet, Token Ring, etc. Other 
as a result of negotiations in the control channel. As fields may be considered; the policy may add a check "ACK 
mentioned, many Internet and multimedia applications that 65 bit not set" to guard against the connection being a non- 
use a "well-known" port address to open an initial control SMTP connection initiated outgoing from port 25, for 
connection often use different, dynamically chosen ports for example. 
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Similarly, packet filters may be employed for other pro- After the firewall creates the new SIS and associated ACL 

tocolssuch as Novell IPX and Apple Talk protocols, because items at step 416, it further processes the packet at a step 

their formats are well documented and understood. 418. Similarly, if the firewall determines that the packet it 

Process Flow Details receives is currently mapped to an SIS at decision step 410 

One implementation of the present invention is detailed in 5 (i. e ., decision step 410 is answered in the affirmative), it 

the process flow charts depicted in FIGS. 4-8. FIG. 4 pr0C esses the packet per step 418. Step 418 is further 

presents a high level overview of the process. This particular detailed in FIG. 5. After the packet has been processed 

implementation of the process is referred to by a reference according to ^ pr0C edure, the firewall directs process 

number 400. Tbe process begins at 402 and receives a new CQnUo} back tQ ^ m where u awaits the next ket 

packet at the firewall at a step ^404. Note that a packet may T nQw s ^ ^ 

be associated with a session that has timed out. Timeout Ato . , * , ^ . , * * C m / j- „ 

criteria are further detaUed in a process flow diagram pre- 4 " 15 * eta ^ ™* V T0 ™ S be S 1DS at f?^ e /?i ^ 

sented in FIG. 7. Briefly, if there is too much time between ei ^ er ste P 410 ™J C P 416 «i process 400) and follows with 

receipt of consecutive packets belonging to the same a decisi0n ste P 504 " which the . fire ^ a i^ determines whether 

session, the firewall will not allow the subsequent packets of a TCP connection is being terminated. This is determined by 

the session to pass. 15 simply identifying an appropriate termination nag in the 

Assuming that the current packet meets the timeout packet header. These flags may be either the finish (FIN) flag 

criteria, the firewall next determines whether it meets addi- or the reset (RST) flag. Assuming that the firewall deter- 

tional authorization criteria at a decision step 406. These mines that the TCP connection is being terminated, it then 

criteria may include such items as the time of day when transitions to a closing or closed state at a step 506. At the 

packets can be sent, source and destination IP addresses, 20 appropriate time or upon receipt of a final packet for the 

protocols to which the packets may belong (identified by connection, the SIS for that connection is terminated and the 

port numbers), and combinations thereof. Such authoriza- associated ACL items for that connection are also deleted. At 

tion criteria may take the form of ACL items. Most, if not all, this point, the system may also provide an audit trail which 

of this information may be obtained by examining the packet details connections by recording time stamps, source hosts, 

header in the manner of a traditional packet filter. The ACL 25 destination hosts, ports, total number of bytes transmitted, 

items may be divided into static items and dynamic items. etc. 

Static items usually result directly from the user's security If the firewall determines at decision step 504 that the TCP 

access policy (as described above). Dynamic items may be connection is not to be terminated, it next determines 

generated on the fly, typically to allow return traffic for whether the packet meets certain security criteria at a step 

sessions or applications initiated with nodes on the local 30 508. It may do this by examining the packet header. These 

network. security criteria are typically associated with the particular 

If the firewall determines at decision step 406 that the session to which a packet may belong. Examples include 

packet is not authorized, it drops the packet at step 408. ensuring that the packet sequence number falls within a 

Optionally, the packet is logged at this point. If, on the other defined range of sequences (a "sequence window"), the 

hand, the firewall determines that the packet is authorized at 35 packet type is as expected for a given session state, and the 

decision step 406, it next determines whether the packet is packet header meets ACL items associated with the particu- 

mapped to a currently existing state information structure lar session. The state of a given session may be enforced by 

("SIS"). As detailed below, these are data structures that ensuring that state transition packets arrive in the expected 

maintain "state" information about a currently existing ses- order (e.g., a SYN packet is not received while a TCP 

sion. 40 session is in an "open" state.) If the firewall finds that the 

If the firewall determines that no corresponding SIS exists current packet does not meet the criteria specified at step 

for the current packet, it next determines whether the packet 508, it drops the packet and optionally issues an alert at a 

is a UDP or a TCP SYN packet of a configured protocol at step 510. 

a decision step 412. For TCP protocols, a request for a new Assuming that the packet meets the security criteria, as 

connection is made with a SYN packet. If the firewall 45 determined at step 508, the firewall next parses the packet 

determines that the current packet is not a UDP packet or a pay load if necessary as indicated at process step 512. The 

TCP SYN packet of a configured protocol (i.e., decision step parsing procedure is further detailed in a flow chart depicted 

412 is answered in the negative), it simply passes that packet in FIG. 8. After the payload parsing is completed, if needed, 

on to the destination. If, on the other hand, the firewall the firewall may next update the current session state at a 

determines at decision step 412 that the current packet is in 50 step 514. It may do this if the current packet indicates a state 

fact a UDP or TCP SYN packet of the appropriate protocol, transition. 

it realizes that a new connection is being opened and should In one specific embodiment, there are four states for a 

be watched. Therefore, it creates a new SIS at a step 416. It TCP connection: closed, opening, open, and closing. The 

concurrently adds any necessary ACL items to ensure that transition between closed and opening may occur when a 

return traffic (from the destination) can pass through the 55 SYN packet is received for a new session. The transition 

firewall, assuming that such return traffic meets other secu- between opening and open states may occur when a SYN/ 

rity criteria. The steps of creating a new SIS and associated ACK packet is received. The transition to a closing state may 

ACL items will be further detailed in a process flow chart occur when a FIN packet is received. Finally, the transition 

depicted in FIG. 6. to the closed state may occur upon receipt of a reset packet. 

Note that not all protocols are necessarily monitored as 60 In a specific embodiment, UDP communications include the 

sessions (configured protocols). The network administrator following states: opening, open, and closed. The transition to 

may decide that some protocols (e.g., HTTP) need not be opening occurs when a first UDP packet for a new session 

monitored. For such protocols, the firewall understands that is received. That is, when a UDP packet is received for 

no SIS need be created when it encounters a packet of such which there is no existing SIS. The transition from opening 

protocol. It simply passes the packet as indicated in step 414. 65 to open occurs when the first reply packet to an initial UDP 

This does not necessarily create a security issue as the packet packet is received. The transition to closed occurs when a 

must still be authorized at step 406. UDP session times out. 
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Note that in step 508, the system may drop the packet if 
it does not meet expected state criteria. Such criteria may 
require that state transitions follow an expected sequence: 
e.g., closed, opening, open, and closing for TCP sessions. 
The system might then drop FIN packets received while a S 
TCP session is in the closed state or it might drop SYN 
packets while a TCP session is in the open or closing state. 

Step 514 may also involve updating the sequence window 
for a current session based upon the sequence number of the 
current packet. The size of the sequence window may be 10 
dictated by the network traffic. In a specific embodiment, the 
sequence window is set at about 1 to 2000 for congested 
networks and at about 7000 to 9000 for uncongested net- 
works. Preferably, the firewall tracks the sequence number 
of the packets it receives and the acknowledged sequence 15 
number of TCP connections. When the sequence number of 
a transmitted packet is not in an expected window range as 
defined based upon the acknowledged sequence window, the 
packet will be dropped (step 510). The sequence number of 
the most recent ACK packet may be maintained in the SIS 20 
to define the sequence window of allowable packet sequence 
numbers. Other bookkeeping tasks may be performed at step 
514 and updated in the appropriate fields of the SIS. 

Finally, after any necessary updates are performed at step 

514, the firewall forwards the packet to its destination at a 25 
process step 516 and the process is completed at 518 
(corresponding to step 404 in process 400). 

The process associated with creating a new SIS and 
adding any new ACL items to ensure return traffic (step 416 
of process 400) is depicted in FIG. 6. The process begins at 30 
602 (corresponding to decision step 412 of process 400). 
Then, if the current packet matches a "p re-gen SIS" 
(described below), the system updates the ACL items of the 
pre-gen SIS and may create one or more output ACL items 
(if warranted). This is accomplished at a process step 604. 35 

A pre-gen SIS is created when the firewall determines that 
a side channel or data channel is about to be opened. As 
explained below, this determination may be made when 
packet payloads of certain protocols are examined. When the 
firewall finds a payload marker suggesting that a side/data 40 
channel is about to be opened, it prepares for the new 
connection (associated with the new channel) by creating a 
precursor (pre-gen) SIS. At this point, the firewall may only 
know the destination port (as indicated by a port negotiation 
command in the payload). The ACL items created for the 45 
pre-gen SIS may specify this destination port, but they 
cannot specify the source port, as this is as yet unknown. The 
second port can be specified when the firewall receives the 
SYN packet for the new side channel. Such SYN packet will 
specify the source port and this information may now be 50 
added to ACL associated with the pre-gen SIS at step 604. 
If the packet under consideration does not match a pre-gen 

515, step 604 is skipped. 
Next, at a step 606, the firewall creates a fresh SIS (for a 

current UDP or TCP SYN packet) and initializes its fields. 55 
If the new SIS is created based upon a pre-gen SIS, some of 
the initial information is taken from the pre-gen SIS. Finally, 
at a step 608, the firewall creates one or more ACL items to 
ensure return traffic is permitted for the new session. Note 
that if a pre-gen SIS existed, the ACLs may have been 60 
created at step 604. Without these new ACL items, it is likely 
that return traffic (presumably from the external network) 
would be blocked. The new ACL items will typically allow 
packets from the external node IP address to a local node IP 
address (as identified in the initial TCP SYN or UDP packet 65 
for the SIS) and the associated port number. The process is 
concluded at 610 (corresponding to step 418 of process 400). 
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The timeout provisions are detailed in FIG. 7. These 
provisions were discussed above with reference to step 404 
of process 400. Preferably, the timeout provisions are imple- 
mented via interrupts and can be triggered at any stage in the 
firewall process. These provisions are designed to end a 
session if there is too great a delay between successive 
packets in that session. Leaving a firewall passage open for 
too long a time exposes the local network to a potential 
security problem. 

The process begins at 702 (corresponding to step 402 of 
process 400) and includes a decision step 704 in which the 
firewall determines whether there has been a timeout since 
the last valid packet was received for the session represented 
by an SIS. In a specific embodiment, the timeout is 30 
seconds between successive UDP packets and 3600 seconds 
between successive TCP packets. Preferably, these timeout 
periods are configurable. If the firewall determines that the 
timeout period has been exceeded (by receipt of an interrupt 
for example), it ends the session and deletes the associated 
SIS and ACL items at a process step 706. If, on the other 
hand, the timeout period has not been exceeded (decision 
step 704 is answered in the negative), the firewall restarts the 
appropriate timer when the next packet for that session is 
received. See process step 708. The process is then com- 
pleted at 710 which corresponds to step 406 in process 400. 

To provide a flexible but secure firewall, a security 
algorithm must examine packet payloads. Preferably, the 
payload is examined under only certain conditions. By 
preventing the payload from being examined in all cases, the 
performance of the system is improved. In a preferred 
embodiment, the payload is only examined under two cir- 
cumstances. First, the payload may be examined to identify 
any intrusion signatures. Certain types of intrusion attempts 
may be detected by comparing payloads with well-known 
intrusion signatures. In a specific embodiment all packets of 
FTP, RPC, TFTP, and SMTP are examined for intrusion 
signatures. Packet payloads of other protocols are not exam- 
ined for such signatures in this specific embodiment. 

Second, the payload is examined when there is a possi- 
bility that an additional channel may be opened. When this 
is a possibility, the firewall of this invention watches packet 
payloads to determine whether a port negotiation command 
has been detected. As noted, some application conversations 
involve multiple channels. Often there are one or more 
control channels and one or more data channels. H.323 
video conferencing, for example, includes up to three con- 
trol channels and four data channels. One data channel 
involves transmission of audio data from a first party, 
another data channel involves transmission of video data 
from the first party, another data channel involves transmis- 
sion of audio data from a second party, and the final data 
channel involves transmission of video data from the second 
party. Each new data channel includes a port number that 
can not be known ahead of time. Each new channel requires 
a dynamic adjustment of the firewall to temporarily allow 
data to pass via that channel. The generation of a new 
channel is prefaced by a "port negotiation command" in a 
control channel. 

In a preferred embodiment, only the payloads of control 
channels are examined for port negotiation commands. This 
is because data channel payloads do not indicate that addi- 
tional channels may be opened. Further control channel 
payloads are examined only when there is a possibility that 
an additional channel may be opened. In a H.323 
conversation, for example, when all seven channels have 
been opened, there is no need to further monitor the pay- 
loads of the control channels. And, in a NetMeeting 
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videoconference, the system preferably inspects the TCP 
control channel used to establish media channels. This 
control channel contains information that opens new media 
channels. The system watches it to identify those ports that 
media channels use and opens additional channels on a 
dynamic basis. The media and media control channels for 
audio and video are not inspected or monitored, because 
these channels only transport data and cannot open addi- 
tional channels. This maximizes router and network perfor- 
mance to assure proper delivery of time -sensitive data. 

In a specific embodiment, the firewall engine and asso- 
ciated application modules contain the intelligence to know 
when to watch payloads for new channels. When a port 
negotiation command is detected, the firewall recognizes 
that a data channel defined by port numbers for the com- 
municating nodes is about to be established. In the payload, 
it detects the identity of one port of the data channel through 
which data will be transmitted in the a first direction. At this 
point, the firewall of this invention creates an ACL item for 
that port. The other port number of a new channel is 20 
identified in the header of the first packet following a port 
negotiation command that specifies the negotiated port. That 
packet is allowed through, and from its port number, the 
firewall creates another ACL item that together with the 
previously created ACL item defines the new data channel. 25 

The process of overall process of parsing a payload (step 
512 of process 418) is detailed in FIG. 8. As shown there, the 
process begins at 802 (corresponding to decision step 508 of 
process 418) and follows with a decision step 804 in which 
the firewall determines whether the current session is one of 30 
the following protocols: FTP, TFTP, RPC, or SMTP. If so, it 
examines the payload to determine whether it has a specified 
intrusion signature. See decision step 806. For these 
protocols, it is understood that certain intrusion mechanisms 
are known and used to defeat network security. These 
mechanisms leave certain signatures that can be specified for 
detection ahead of time. If such intrusion signature is 
identified at decision step 806, the firewall drops the current 
packet and resets the connection at a step 808. 

Assuming that no intrusion signature is located at decision 
step 806 or that the protocol of the current packet is not one 
of FTP, TFTP, RPC, or SMTP, the firewall next determines 
whether it is expecting additional channels to be opened at 
a decision step 810. As mentioned, certain types of appli- 
cations may have multiple channels: typically a control 
channel and one or more side or data channels. The ports 
associated with such side or data channels cannot be known 
ahead of time. At step 810, the system determines whether 
the packet is associated with an application that could open 
multiple channels (e.g., FTP or H.323) and, if so, whether 
any other channels might be opened for that application. As 
mentioned many applications, such as H.323, have an 
expected or maximum number of side channels. 

Assuming that the application is of a type which may 
involve additional channels (and not all possible channels 
associated with that application have yet been opened), the 
firewall next examines the packet's payload to determine 
whether it includes a port negotiation command. See deci- 
sion step 812. Such commands indicate that a new channel 
is likely to be opened very soon. If the firewall does detect 
such command at decision step 812, it next prepares to 
create a new passage for a new channel at a process step 814. 
This involves creating a pre-gen SIS and associated ACL 
items as mentioned above. Note that at this stage the ACL 
items can specify source and destination addresses and 
possibly a destination port, but usually not a source port. The 
source port for the channel may be determined when a 
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subsequent SYN packet for the new channel is received. 
After the appropriate preparations are undertaken, the pro- 
cess is complete at 816 (corresponding to step 514 of process 
418). Also, if either of decision steps 810 or 812 is answered 
in the negative, the process is completed at 816. 

Note that firewall only inspects packet payloads in control 
channels where port negotiation commands may appear. 
This conserves system resources. Further, only a subset of 
the packets in a control channel will have their payloads 
inspected. Most packets include a "command name" which 
indicates whether the payload is likely to contain port or 
address information such as a port negotiation command. If 
the command name is not of a type that could include a port 
negotiation command, the firewall discontinues its inspec- 
tion of the payload. This further conserves resources. 

3. State Information 

As indicated above, the systems and methods of this 
invention preferably monitor the state of each channel. To 
accomplish this, they may create an SIS for each channel, 
even if there are other channels associated with the appli- 
cation. The firewall engine (and/or associated application 
modules) uses its knowledge of the expected behavior in 
each state to analyze packet headers and determine whether 
the current packet comports with what it expects in the 
current state. If a packet is not of the type expected given the 
current state, the firewall will drop it because it may be an 
illicit packet masquerading as a packet of a current session. 

FIG. 9 depicts one example of a SIS 900 that may be used 
with this invention. The SIS includes various fields for use 
in monitoring a particular session. In SIS 900, these fields 
include source and destination addresses 902 and 904 and 
ports 906 and 908 defining a socket pair, a protocol type 910 
(e.g., UDP or TCP), a TCP state 912 (as defined by the TCP 
standard), a session state 914 as described above (e.g., 
closed, opening, open, closing for TCP; opening, open, and 
closed for UDP), sequence information 916 including the 
sequence numbers of the initiator's and responder's most 
recent packets and the size of the sequence window for the 
initiator and responder, timeout information 918 specifying 
timestamps on the most recent packet or packets in the 
session and relevant timeout period, various flags 920 (for 
e.g. inspecting at the process level, inspecting the TCP 
packet order, inspecting the TCP termination sequence, 
inspecting Network Address Translation information, 
inspecting the payload, etc.), a list of ACL items 922 
associated with the session (dynamically created), and point- 
ers 924 to other sessions (SISs) that form part of the same 
application conversation. Regarding the last of these 
(pointers to other sessions), note that a given application 
conversation such as FTP or H.323 may have multiple 
channels (each defined by a separate session or TCP 
connection). The firewall often needs to check on the status 
of a related session in order to make a decision about a 
packet in a different session. 

While not illustrated in FIG. 9, the SIS may also include 
alternative addresses and port numbers that may be used 
with a local network employing Network Address Transla- 
tion. Network Address Translation (NAT) enhances network 
privacy by hiding internal addresses from public view. It 
also reduces cost of Internet access by enabling conversation 
of registered IP addresses. Network Address Translation is 
described in K. Egevang and P. Francis, "The IP Network 
Address Translator (NAT)," RFC 1631, Cray 
Communications, NTT, May 1994 which is incorporated 
herein by reference for all purposes. 

4. Example 

FIGS. 10A through IOC illustrate how the present inven- 
tion may be employed to control an FTP session. In these 
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figures a router/firewall 1001 connects a local network 1003 
to an external network 1005 (e.g., the Internet). Initially, 
router/firewall 1001 has received the SYN, ACK/SYN, and 
ACK packets necessary to establish an FTP control channel. 
All such packets had to meet criteria specified in an ACL 5 
1007. Upon receipt of the SYN packet, firewall/router 1001 
created an SIS 1009 for the FTP control channel. 

As shown in FIG. 10A, a packet 1011 from external 
network 1005 enters firewall/router 1001 through an inter- 
face and must have its header checked against ACL 1007. If 10 
it does not meet the specified by ACL 1007, it is dropped as 
indicated by arrow 1013. As the packet is for the FTP control 
channel, it must also meet criteria associated with SIS 1009 
(state, sequence number, etc.). If it does not meet these 
criteria, it is dropped as indicated by arrow 1015. In this 15 
case, it passes as indicated by arrow 1017. Along the way, 
SIS 1009 is updated with information from packet 1011 
(sequence number, state, etc.). 

Next, as illustrated in FIR 10B, an FTP packet 1019 with 
a port negotiation command is received from local network 20 
1003. Because it contains a port negotiation command, 
firewall/router 1001 opens a pre -gen SIS 1021 to prepare for 
the new data channel. It also adds appropriate ACL items to 
ACL 1007 in anticipation of the new data channel. These 
items specify a first port number for the new data channel as 2,5 
identified in with the port negotiation command. This allows 
return traffic over the new channel. 

Then, as illustrated in FIG. 1 OC, the first data packet for 
the new channel (packet 1023) arrives from external net- 3Q 
work 1005. Because ACL 1007 has been modified to allow 
it through, it passes to inspection per pre -gen SIS 1021, 
which is now converted to a regular SIS. In addition, the 
second port number for the data channel appears in the 
header of packet 1023. This information is used to modify 35 
the appropriate item(s) in ACL 1007 pertaining to the FTP 
data channel. 

Data for the FTP data channel continues to flow across 
firewall/router 1001 so long as it meets the various require- 
ments of ACL 1007 and SIS 1021. Eventually, the connec- 40 
tion associated with the channel is terminated and SIS 1021 
is removed. The dynamically created ACL items associated 
with the channel are also removed from ACL 1007. 

5. Other Embodiments 45 

Although the foregoing invention has been described in 
some detail for purposes of clarity of understanding, it will 
be apparent that certain changes and modifications may be 
practiced within the scope of the appended claims. For 
example, the local network described above may be a single 50 
local area network or multiple local area networks connected 
as a wide area network. Further, the security algorithm 
described above may be applied to a single machine as well 
as a network. 

What is claimed is: 55 

1. A method, implemented on a dedicated network device 
which receives and transmits network traffic, for limiting 
access to a local network, the method comprising: 

receiving a packet at the network device; 6Q 
identifying an application associated with the packet; 
determining whether to examine the payload of the packet 

based on whether certain conditions are met; and 
examining the packet payload based on the determination. 

2. The method of claim 1, wherein determining whether 65 
to examine the payload comprises determining whether the 
payload may contain an intrusion signature. 
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3. The method of claim 1, wherein determining whether 
to examine the payload comprises determining whether the 
packet is an FTP packet, an RPC packet, a TFTP packet, or 
a SMTP packet; and 

wherein examining the packet payload identifies the pres- 
ence or absence of an intrusion signature. 

4. The method of claim 1, wherein determining whether 
to examine the payload comprises determining whether an 
additional channel of unknown port number may be opened. 

5. The method of claim 4, wherein examining the packet 
payload comprises examining the payload to identify a port 
negotiation command. 

6. The method of claim 5, further comprising modifying 
the network device to allow packets associated with the 
additional channel to pass. 

7. The method of claim 6, wherein the packets are allowed 
to pass by dynamically modifying an access control list to 
create a path for the additional channel. 

8. The method of claim 1, further comprising: 
examining the packet's header; and 

determining whether information in the packet header 
corresponds to an access control item. 

9. The method of claim 8, further comprising dynamically 
adjusting a list of access control items based upon exami- 
nation of the packet payload. 

10. The method of claim 1, further comprising: 
identifying a session associated with the packet; 
determining whether the packet has been received after a 

predetermined time out period has elapsed since the last 
packet of the session was received; and 
if the predetermined time out period has elapsed, rejecting 
the packet. 

11. A computer program product comprising a computer 
readable medium on which is stored program instructions 
for a method, implemented on a dedicated network device 
which receives and transmits network traffic, the method 
limiting access to a local network, and comprising: 

receiving a packet at a network device; 

identifying an application associated with the packet; 

determining whether to examine the payload of the packet 

based on whether certain conditions are met; and 
examining the packet payload based on the determination. 

12. The computer program product of claim 11, wherein 
the instructions for determining whether to examine the 
payload comprise instructions for determining whether an 
additional channel of unknown port number may be opened 
in the application associated with the packet. 

13. The computer program product of claim 11, wherein 
the program instructions further specify: 

identifying a session associated with the packet; 

determining whether the packet has been received after a 
predetermined time out period has elapsed since the last 
packet of the session was received; and 

if the predetermined time out period has elapsed, rejecting 
the packet. 

14. A dedicated network device which receives and trans- 
mits network traffic and capable of controlling access to a 
local network, the network device comprising: 

multiple interfaces configured to connect with distinct 
networks or network segments; 

a memory or memories configured to store (i) one or more 
access control criteria for allowing or disallowing a 
packet based upon header information and (ii) infor- 
mation specifying an application conversation; and 
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a processor configured to compare packet header infor- 
mation with the access control criteria and could deter- 
mine whether to examine packet payloads based upon 
the context of the application conversation. 

15. The network device of claim 14, wherein the network 
device is a router or a switch. 

16. The network device of claim 14, wherein the memory 
is configured to store the access control criteria in the form 
of an access control list. 

17. The network device of claim 14, wherein the memory 
is configured to store the state of at least one of a TCP 
session and a UDP session. 

18. The network device of claim 14, wherein the memory 
is configured with information specifying the context of an 
application conversation indicating whether a side channel 
may be opened for the application. 

19. The network device of claim 14, wherein the proces- 
sor is configured to examine packet payloads when context 
information in the memory indicates that a side channel may 
be opened. 

20. The network device of claim 19, wherein the proces- 
sor is configured to dynamically modify the access control 
criteria when a new side channel opens. 

21. The network device of claim 14, further comprising an 
operating system controlling the network device to perform 
functions necessary to control access to the local network 
and route network traffic. 

22. The network device of claim 14, wherein the network 
device comprises at least two processors, at least one of 
which is associated with one of the multiple interfaces. 

23. A method implemented on a computer or dedicated 
network device for controlling access to a local network, the 
method comprising: 

receiving a packet; 

determining whether the packet possesses a predefined 
source or destination address or port; 

determining whether the packet meets criteria for a cur- 
rent state of a TCP or UDP session with which it is 
associated; 

determining whether to examine the packet's pay load 
based on whether certain conditions are met; and 

examining the packet's payload based on the determina- 
tion. 

24. The method of claim 23, further comprising deter- 
mining whether the packet sequence number falls within a 
defined sequence window. 

25. The method of claim 23, further comprising; 
determining whether the packet has been received after a 

predetermined timeout period has elapsed since the last 
packet of the session was received; and 
if the predetermined timeout period has elapsed, rejecting 
the packet. 

26. The method of claim 23, wherein determining whether 
the packet possesses the predetermined source or destination 
address or port comprises matching information in the 
packet header against information in an access control list. 

27. The method of claim 23, wherein determining whether 
the packet meets criteria for a current state comprises 
determining whether any state transition associated with a 
TCP or UDP session follows an expected sequence of state 
transitions. 



.9,706 Bl 

18 

28. The method of claim 23, wherein determining whether 
to examine the payload comprises determining whether the 
payload may contain an intrusion signature. 

29. The method of claim 23, wherein determining whether 
5 to examine the payload comprises determining whether the 

packet is an FTP packet, an RPC, a TFTP packet, or a SMTP 
packet; and 

wherein examining the packet payload identifies the pres- 
1Q ence or absence of an intrusion signature. 

30. The method of claim 23, wherein determining whether 
to examine the payload comprises determining whether an 
additional channel of unkown port number may be opened. 

31. The method of claim 30, wherein examining the 
15 packet payload comprises examining the payload to identify 

a port negotiation command. 

32. The method of claim 31, further comprising modify- 
ing the network device to allow packets associated with the 
additional channel to pass. 

20 33. The method of claim 32, wherein the packets are 
allowed to pass by dynamically modifying an access control 
list to create a path for the additional channel. 

34. The method of claim 31, wherein the packet initiates 
a new session, the method further comprising: 

25 

creating a state entry for the new session; and 
creating one or more access control items allowing pas- 
sage of packets from a node identified in the packet 
initiating the new session. 
30 35. A computer program product comprising a computer 
readable medium on which are stored computer program 
instructions for a method of controlling access to a local 
network, the computer program instructions specifying; 
receiving a packet; 

determining whether the packet possesses a predefined 

source or destination address or port; 
determining whether the packet meets criteria for a cur- 
rent state of a TCP or UDP session with which it is 
40 associated; 

determining whether to examine the packet's payload 

based on whether certain conditions are met; and 
examining the packet's payload based on the determina- 
45 tion. 

36. The computer program product of claim 35, wherein 
the instructions for determining whether the packet meets 
criteria for the current state comprises instructions for deter- 
mining whether any state transition associated with the TCP 

50 or UDP session follows an expected sequence of state 
transitions. 

37. The computer program product of claim 35, wherein 
the program instructions further specify; 

determining whether the packet initiates a new session; 
55 creating a state entry for the new session; and 

creating one or more access control items allowing pas- 
sage of packets from a node identified in the packet 
initiating the new session. 

* + + + * 
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